diff options
author | Matt Caswell <matt@openssl.org> | 2018-08-08 16:29:33 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-08-09 11:53:09 +0200 |
commit | 9b287d53db2596a62fc0b94557d521a43f067e81 (patch) | |
tree | f1ffe9e68e4abde7d9e031ad9357442d97594ee7 /test/recipes | |
parent | Improve fallback protection (diff) | |
download | openssl-9b287d53db2596a62fc0b94557d521a43f067e81.tar.xz openssl-9b287d53db2596a62fc0b94557d521a43f067e81.zip |
Add a test for TLSv1.3 fallback
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
Diffstat (limited to 'test/recipes')
-rw-r--r-- | test/recipes/70-test_tls13downgrade.t | 42 |
1 files changed, 31 insertions, 11 deletions
diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index dbf011cb2b..cc5fb16d2b 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -41,14 +41,15 @@ my $proxy = TLSProxy::Proxy->new( use constant { DOWNGRADE_TO_TLS_1_2 => 0, - DOWNGRADE_TO_TLS_1_1 => 1 + DOWNGRADE_TO_TLS_1_1 => 1, + FALLBACK_FROM_TLS_1_3 => 2, }; #Test 1: Downgrade from TLSv1.3 to TLSv1.2 $proxy->filter(\&downgrade_filter); my $testtype = DOWNGRADE_TO_TLS_1_2; $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 3; +plan tests => 4; ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2"); #Test 2: Downgrade from TLSv1.3 to TLSv1.1 @@ -64,6 +65,18 @@ $proxy->serverflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->fail(), "Downgrade TLSv1.2 to TLSv1.1"); +#Test 4: Client falls back from TLSv1.3 (server does not support the fallback +# SCSV) +$proxy->clear(); +$testtype = FALLBACK_FROM_TLS_1_3; +$proxy->clientflags("-fallback_scsv -no_tls1_3"); +$proxy->start(); +my $alert = TLSProxy::Message->alert(); +ok(TLSProxy::Message->fail() + && !$alert->server() + && $alert->description() == TLSProxy::Message::AL_DESC_ILLEGAL_PARAMETER, + "Fallback from TLSv1.3"); + sub downgrade_filter { my $proxy = shift; @@ -76,18 +89,25 @@ sub downgrade_filter my $message = ${$proxy->message_list}[0]; my $ext; - if ($testtype == DOWNGRADE_TO_TLS_1_2) { - $ext = pack "C3", - 0x02, # Length - 0x03, 0x03; #TLSv1.2 + if ($testtype == FALLBACK_FROM_TLS_1_3) { + #The default ciphersuite we use for TLSv1.2 without any SCSV + my @ciphersuites = (TLSProxy::Message::CIPHER_RSA_WITH_AES_128_CBC_SHA); + $message->ciphersuite_len(2 * scalar @ciphersuites); + $message->ciphersuites(\@ciphersuites); } else { - $ext = pack "C3", - 0x02, # Length - 0x03, 0x02; #TLSv1.1 + if ($testtype == DOWNGRADE_TO_TLS_1_2) { + $ext = pack "C3", + 0x02, # Length + 0x03, 0x03; #TLSv1.2 + } else { + $ext = pack "C3", + 0x02, # Length + 0x03, 0x02; #TLSv1.1 + } + + $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); } - $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); - $message->repack(); } |